There are many cybersecurity lessons to be learned from the events over the last few years, the most fundamental of these is that security deserves its place at the table when it comes time for business leaders to discuss their priorities.
Gartner predicts global spending on information security and risk management services and technology will hit $150.4 billion this year. Market segments such as network security, infrastructure protection, and security services are expected to take up the bulk of the spending, though the firm anticipates cloud security will be the fastest-growing segment by far.
Our research team asked 683 security professionals what they predict will happen to their security budget in the next 12 months. 60% are expecting an increase.
The expanding security budgets are an indication that companies understand how much security can unpin everything they do. From the onboarding and offboarding of employees to protecting and managing the supply chain, cybersecurity touches essentially every aspect of business operations in some way. Supporting business objectives means weaving security into each and every business process and department.
Take the secure development of customer-facing applications, for example. The concept of shift-left security pushes cybersecurity earlier into the application development process to support DevOps. The idea behind it is to avoid slowing down the delivery of applications by automating the testing process and integrating it into the CI/CD pipeline instead of the more traditional approach of waiting until the coding process was complete before testing for security issues. Getting applications to market faster enables businesses to better serve their customers, and eliminating bugs and vulnerabilities before deployment reduces the risk of attacks and threats to customer data.
From the onboarding and offboarding of employees to protecting and managing the supply chain, cybersecurity touches essentially every aspect of business operations in some way. Supporting business objectives means weaving security into each and every business process and department.
There is no separating security from the technology organizations are using to optimize their operations and drive new revenue streams. Businesses can not embrace cloud computing safely without the ability to maintain visibility and control access. They cannot fully leverage the power of the Internet-of-Things (IoT) confidently without the ability to address the challenges of monitoring and managing a large attack surface. Effective digital transformation is impossible without taking security into account. Move too quickly without considering the security impact, and you risk introducing, well, risk. On the flip side, slowing the speed of business operations is far from ideal.
Shifting to Proactive Cybersecurity
Organizations need to get ahead of security threats. Simply sitting back and acting reactively is not enough. The best defense is a proactive one—one that involves a mix of security awareness training, best practices, and technology that keeps pace with existing and emerging threats.
A layer of that defense involves educating employees about the threats they will face. Security awareness training is an important piece of multiplying the impact of security tools. The ability to identify phishing emails or efforts by scammers to trick users via means such as text messages or phone calls can help raise the bar attackers have to clear to penetrate security. While cybersecurity awareness training can help turn employees into security multipliers, education can only do so much. In a survey of 1,028 security professionals conducted by Media Sonar, 70% reported that less than half of their employees were properly trained in cybersecurity best practices.
In a survey of 1,028 security professionals conducted by Media Sonar, 70% reported that less than half of their employees were properly trained in cybersecurity best practices.
As with all of your defenses, up-to-date information about the threat landscape is a must for effectively guiding security awareness efforts. Threat intelligence provides the data that organizations need to inform their security strategy and identify emerging and ongoing threats. Web intelligence and investigation platforms like Media Sonar automate the process of collecting, correlating, and operationalizing information from across the deep, dark, and surface web. This information does not just include stolen data or passwords but also negative mentions of your corporate brand and information about your third-party vendors, allowing you to make informed decisions across each department and business process.
The proper approach treats security as an enabler of business instead of a red traffic light that stops progress
In the past, threat intelligence was the province of a few employees within a security team tasked with developing generalized threat intelligence reports for the organization. Increasingly, however, the awareness that security touches all aspects of an organization and improved integration with other security tools has changed that approach. Today’s threat intelligence analyst needs to be able to develop and customize reports for multiple pieces of the organization. As an example, threat intelligence can provide information about unpatched vulnerabilities that organizations can consider alongside CVSS scores when deciding what issues to prioritize. Likewise, information about existing and prospective vendors might be of interest to the CISO.
The proper approach treats security as an enabler of business instead of a red traffic light that stops progress. Burying one’s head in the sand has never been an answer to security challenges. As threat actors innovate and technology changes, keeping security top of mind will allow businesses to grow without sacrificing safety and compliance.